Estou usando o CentOS 6.6 tentando chamar o comando service em código PHP
exec("sudo -u kouser bash ./1.bash 2>&1",$output,$code);
1.bash
#!/bin/bash
sudo service httpd graceful
A saída da execução
httpd: unrecognized service
Quando parei o sucesso da execução no SElinux. Eu quero executar meu código sem parar o SELinux, mas eu não quero usar audit2allow ; resolverá o problema, mas sem eu entender o porquê. quando usei audit2why não me deu mais informações.
tail / var / log / messages
May 16 11:21:34 Server6 setroubleshoot: SELinux is preventing /bin/bash from getattr access on the file /etc/rc.d/init.d/httpd. For complete SELinux messages. run sealert -l 92a5910b-1bfe-4b98-a2de-d773cce85051
sealert -l 92a5910b-1bfe-4b98-a2de-d773cce85051
SELinux is preventing /bin/bash from getattr access on the file /etc/rc.d/init.d/httpd.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that bash should be allowed getattr access on the httpd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep service /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context unconfined_u:system_r:httpd_t:s0
Target Context system_u:object_r:httpd_initrc_exec_t:s0
Target Objects /etc/rc.d/init.d/httpd [ file ]
Source service
Source Path /bin/bash
Port <Unknown>
Host ERP-Server
Source RPM Packages bash-4.1.2-40.el6.x86_64
Target RPM Packages httpd-2.2.15-53.el6.centos.x86_64
Policy RPM selinux-policy-3.7.19-292.el6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name ERP-Server
Platform Linux ERP-Server 2.6.32-504.3.3.el6.x86_64 #1 SMP
Wed Dec 17 01:55:02 UTC 2014 x86_64 x86_64
Alert Count 22
First Seen Mon 23 May 2016 11:06:03 AM EEST
Last Seen Tue 07 Jun 2016 11:36:47 AM EEST
Local ID 91c2c1ed-cb12-4d36-a655-c91d63827a16
Raw Audit Messages
type=AVC msg=audit(1465288607.625:383): avc: denied { getattr } for pid=14705 comm="service" path="/etc/rc.d/init.d/httpd" dev=dm-0 ino=918236 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_initrc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1465288607.625:383): arch=x86_64 syscall=stat success=no exit=EACCES a0=19ab9b0 a1=7fffc22e8060 a2=7fffc22e8060 a3=8 items=0 ppid=14704 pid=14705 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=service exe=/bin/bash subj=unconfined_u:system_r:httpd_t:s0 key=(null)
Hash: service,httpd_t,httpd_initrc_exec_t,file,getattr
audit2allow
#============= httpd_t ==============
allow httpd_t httpd_initrc_exec_t:file getattr;
audit2allow -R
#============= httpd_t ==============
allow httpd_t httpd_initrc_exec_t:file getattr;
finalizar /var/log/audit/audit.log
type=CRED_DISP msg=audit(1463317995.800:917): user pid=5427 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=USER_CMD msg=audit(1463317995.806:918): user pid=5434 uid=512 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='cwd="/var/www/html/1.php" cmd=7365727669636520687474706420677261636566756C terminal=? res=success'
type=CRED_ACQ msg=audit(1463317995.807:919): user pid=5434 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1463317995.807:920): user pid=5434 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1463317995.818:921): avc: denied { getattr } for pid=5435 comm="service" path="/etc/rc.d/init.d/httpd" dev=dm-0 ino=918237 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_initrc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1463317995.818:921): arch=c000003e syscall=4 success=no exit=-13 a0=1f37b20 a1=7fff10f16500 a2=7fff10f16500 a3=8 items=0 ppid=5434 pid=5435 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="service" exe="/bin/bash" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=USER_END msg=audit(1463317995.819:922): user pid=5434 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1463317995.819:923): user pid=5434 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1463317995.820:924): user pid=5388 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:session_close acct="kouser" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1463317995.820:925): user pid=5388 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:setcred acct="kouser" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
sealert -l 92a5910b-1bfe-4b98-a2de-d773cce85051 descreverá a causa exata, na seção de resumo você encontrará o nome do arquivo & o contexto do selinux
para corrigir o problema, execute o comando abaixo.
chcon -t selinux_context 'file_name'
Um comando sugerido para permitir o acesso e resolver a negação. ele dá o comando para alterar o tipo file1 para public_content_t, que é acessível para o Apache HTTP Server